US10986081B1ActiveUtility

Cross-organization registration for single sign-on

Assignee: AMAZON TECH INCPriority: Sep 28, 2017Filed: Sep 28, 2017Granted: Apr 20, 2021
Est. expirySep 28, 2037(~11.2 yrs left)· nominal 20-yr term from priority
H04L 63/108H04L 63/105H04L 63/104H04L 63/083H04L 63/0815
93
PatentIndex Score
13
Cited by
5
References
20
Claims

Abstract

A managed directory service receives a request from a first service to link a directory of a contractor service to the first service's directory. The managed directory service identifies a group within the directory of the contractor service and links the directories using this group. Through the link, the managed directory service enables users in the group to authenticate to the first service's directory using credentials for the directory of the contractor service.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 creating a first group in a first directory; 
 obtaining a first request to link a second directory to the first directory via the first group, the first request specifying an expiration condition for the link; 
 transmitting a second request to authorize linkage of the second directory to the first directory; 
 obtaining selection of a second group of the second directory; 
 associating users of the second group with users in the first group; 
 enabling the users in the first group to authenticate to the first directory using respective credentials of the users of the second group of the second directory; 
 detecting, at a time after enabling the users in the first group to authenticate to the first directory, that the expiration condition is met; and 
 as a result of the expiration condition being met, severing the link between the second directory to the first directory. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein the method further comprises:
 obtaining a third request to remove the first group from the first directory; and 
 in response to the third request, severing the link between the second directory to the first directory. 
 
     
     
       3. The computer-implemented method of  claim 1 , wherein associating the users of the second group with the users in the first group includes:
 detecting addition of the users of the second group to the second group; and 
 updating the first group to include respective users corresponding to the users of the second group. 
 
     
     
       4. The computer-implemented method of  claim 1 , wherein the method further comprises:
 obtaining a request to remove a user from the first group; and 
 removing the user from the second group. 
 
     
     
       5. A system, comprising:
 one or more machine-readable mediums having stored thereon a set of instructions, which if performed by one or more processors, cause the system to at least:
 obtain a request to link a second directory to a first directory, wherein:
 the first directory and the second directory are managed directories that regulate access to resources via an access policy; and 
 the link is subject to an expiration condition specified in the request; 
 
 determine a group in the second directory; and 
 enable users in the group to authenticate to the first directory using credentials for the second directory; 
 at a time after enabling the users in the group to authenticate to the first directory, terminate the link between the second directory to the first directory as a result of detecting that the expiration condition is met. 
 
 
     
     
       6. The system of  claim 5 , wherein the set of instructions further cause the system to:
 generate, in response to the request, a second group within the first directory; 
 detect addition of the users to the group in the second directory; and 
 update the second group to include respective users corresponding to the users. 
 
     
     
       7. The system of  claim 5 , wherein the set of instructions further cause the system to:
 provide a second request to obtain authorization of the link of the second directory to the first directory; and 
 establish the link between the second directory and the first directory in response to receiving an indication specifying that the link is authorized. 
 
     
     
       8. The system of  claim 5 , wherein
 the set of instructions further cause the system to prevent the users in the group from authenticating to the first directory using the credentials for the second directory as a result of terminating the link. 
 
     
     
       9. The system of  claim 5 , wherein the set of instructions further cause the system to:
 obtain a request to remove a user from the group; 
 remove the user from the group; and 
 prevent the user from authenticating to the first directory using a set of credentials of the user for the second directory. 
 
     
     
       10. The system of  claim 5 , wherein the set of instructions further cause the system to transmit, in response to the request, a second request to generate the group in the second directory. 
     
     
       11. The system of  claim 5 , wherein:
 the second directory defines attributes of the users in the group; and 
 the attributes are accessible via the first directory in a read-only format. 
 
     
     
       12. The system of  claim 5 , wherein the set of instructions further cause the system to:
 obtain a request to remove the group from the second directory; and 
 in response to the request, terminate the link. 
 
     
     
       13. A non-transitory computer-readable storage medium storing thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
 obtain a request to link a second directory to a first directory; 
 determine selection of a group in the second directory; 
 enable users in the group to authenticate to the first directory using credentials for the second directory; 
 detect that an expiration condition for the link has been met; and 
 prevent the users in the group from authenticating to the first directory using the credentials for the second directory as a result of the expiration condition being met. 
 
     
     
       14. The non-transitory computer-readable storage medium of  claim 13 , wherein the instructions further cause the computer system to:
 remove, in response to a second request, a user from the group; and 
 prevent the user from authenticating to the first directory using a set of credentials of the user for the second directory. 
 
     
     
       15. The non-transitory computer-readable storage medium of  claim 13 , wherein:
 the second directory defines attributes of the users in the group; and 
 the instructions further cause the computer system to provide the attributes of the users via the first directory in a read-only format. 
 
     
     
       16. The non-transitory computer-readable storage medium of  claim 13 , wherein the instructions further cause the computer system to transmit, in response to the request, a second request to approve the link and to generate the group in the second directory. 
     
     
       17. The non-transitory computer-readable storage medium of  claim 13 , wherein the instructions further cause the computer system to establish the link between the second directory and the first directory in response to receiving an indication specifying that the link is authorized. 
     
     
       18. The non-transitory computer-readable storage medium of  claim 13 , wherein the instructions further cause the computer system to:
 generate, in response to the request, a second group within the first directory; and 
 update the second group to include respective users corresponding to the users in the group in the second directory. 
 
     
     
       19. The non-transitory computer-readable storage medium of  claim 13 , wherein the instructions further cause the computer system to:
 obtain a request to remove the group from the second directory; 
 remove the group from the second directory; and 
 terminate the link. 
 
     
     
       20. The non-transitory computer-readable storage medium of  claim 13 , wherein further as a result of detecting that the expiration condition is met, severing the link between the second directory and the first directory.

Join the waitlist — get patent alerts

Track US10986081B1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.